Password breach warning on HL?

colsten

Presumably the issue only exists for people who store their passwords in Chrome? 

It's not much of an issue, though, as you can't log in without also entering 3 random characters from your Secure Number. Plus, you can turn on 2 factor authentication, which makes your login pretty unhackable (unless you are also careless with your phone).

Harry99

Is it possible that the warning relates to the first part of the log in process with HL, ie username and date of birth ? Which do not change ?

Robert_McGeddon

masonic said:

It's not passwords that are hacked, it's companies storing passwords in a way that allows said company to access them. If you are the only one who knows your password, and it isn't guessable, then it won't be hacked. If you want to be really sure, don't use a service that stores anything online. Never, use a password manager with the ability to recover a lost master password.

Quite so.

Presumably in order to say someone's username and password combination may be compromised Google has to match what you've just input against a database of usernames and passwords. Which implies Google knows your username/passwod combo:

1 Does Google keep a record (what happens if Google gets hacked?).

2 The idea that https:// implies a secure connection to a website isn't necessarily the case.

I don't use Chrome. Maybe it's an optional add-on creating the issue.....  Anyway, I have had no problems on the HL site using Firefox.

wesleyad

This warning isn't from HL, its from google. It doesn't mean your password has actually been hacked. What it means is a site you have previously used has told google that it has "potentially" been infiltrated and if so then your password/username combo "may" have been accessed by a third party. But tbh these data breaches happen all the time.

You can check your password breaches in settings/passwords and if you have breaches it will tell you. I currently have 197. But they key is to make sure you have different passwords for important things.. email, bank, paypal, amazon etc. Anything that can be used financially.

masonic

Robert_McGeddon said:

masonic said:

It's not passwords that are hacked, it's companies storing passwords in a way that allows said company to access them. If you are the only one who knows your password, and it isn't guessable, then it won't be hacked. If you want to be really sure, don't use a service that stores anything online. Never, use a password manager with the ability to recover a lost master password.

Quite so.

Presumably in order to say someone's username and password combination may be compromised Google has to match what you've just input against a database of usernames and passwords. Which implies Google knows your username/passwod combo:

1 Does Google keep a record (what happens if Google gets hacked?).

2 The idea that https:// implies a secure connection to a website isn't necessarily the case.

I don't use Chrome. Maybe it's an optional add-on creating the issue.....  Anyway, I have had no problems on the HL site using Firefox.

wesleyad said:

This warning isn't from HL, its from google. It doesn't mean your password has actually been hacked. What it means is a site you have previously used has told google that it has "potentially" been infiltrated and if so then your password/username combo "may" have been accessed by a third party. But tbh these data breaches happen all the time.

You can check your password breaches in settings/passwords and if you have breaches it will tell you. I currently have 197. But they key is to make sure you have different passwords for important things.. email, bank, paypal, amazon etc. Anything that can be used financially.

Google describes exactly what it is doing here: https://security.googleblog.com/2019/12/better-password-protections-in-chrome.html

It is capturing username/password combinations you enter into the login pages of websites and checking if that same username/password combination has been found in any known leaked password database.

It does indeed mean that username/password combination has been leaked in a data breach. It does not mean a site you have previously used has been breached. What it interprets as a username and password might not correspond to an actual username and/or password, which is probably why the HL login process is throwing up so many alerts.

If you use the Google Chrome browser, then Google is at liberty to see everything you can see and everything you type into the browser. The same is true of any antivirus software you have installed, or any malicious software you have running on your computer. The idea that https:// provides a secure connection to a website is only true over the wire (and wi-fi), it does not secure your online acitivity from things running on your own computer any more than it can secure your activity from someone standing behind you looking over your shoulder.

happy_hazelnuts

Yes https simply means that the connection between your browser and the website is encrypted

it does not mean anything else

in particular it does NOT mean that you are connected to the correct website

The thing that will tell you that is the website certificate (if they have one) which you can view in your browser

AnotherJoe

dunroving said:

Swipe said:

dunstonh said:

dunroving said:

MaxiRobriguez said:

It's a valid warning. It's not saying you've done anything wrong but that at some point, somewhere on the internet, someone has used the username/password combination as an authentication to a site, and that site leaked that authentication data to a malicious actor.

Whilst your HL account is unlikely to be accessed, you should still change your password as it is a risk that you can mitigate easily. Use a random generator for your next password.

Thank Chrome for the service rather than ignore it!

The problem with completely randomly generated passwords is you have to write them down somewhere. I use passwords nobody would guess, but I have a system to remember. As per your advice, I'll change my password (again). 

Look up bitwarden.   https://bitwarden.com/
There are others (such as LastPass, dashlane etc).  

This is the best advice anyone can offer you. I really don't understand anyone who doesn't use a password manager in this day and age. And write down your master password somewhere safe.

I always wonder, though - if other passwords can be somehow hacked, what's to stop the master password for a password manager being hacked in the same way? (Genuine question)

Not using one that stores it "in the cloud" (aka just someone else's computer)

I use a password manager which has that option but its switched off, so the password database is locally stored and encrypted. (and backed up of course)

One good side-effect of the annoyance of HL now needing an extra passcode they send to your phone when you get Active Savings, is that it enforces 2FA so even having the password wouldnt do an attacker any good.

Better security than Twitter it seems. Crazy on there last night. Still waiting  for Elon Musk, Bill Gates and Barrack Obama to give me my bitcoins back

AnotherJoe

sebtomato said:

Same warning for me, on both PC and smartphone (Chrome browser on Android).
Changed my password, and still getting the same warning, so must be a glitch. However, you would expect HL to put some banner on their website to advise people using Chrome but of course nothing.

Why dont Chrome / Google warn about the glitch? Or maybe its simply a rainbow table of ALL 15 character combinations so it doesn't matter what your password is anyway from that respect, its no less (or more) secure. Its overdone anyway unless they had access to the main broker computers they would lock out after a few attempts.

Swipe

dunroving said:

Swipe said:

dunstonh said:

dunroving said:

MaxiRobriguez said:

It's a valid warning. It's not saying you've done anything wrong but that at some point, somewhere on the internet, someone has used the username/password combination as an authentication to a site, and that site leaked that authentication data to a malicious actor.

Whilst your HL account is unlikely to be accessed, you should still change your password as it is a risk that you can mitigate easily. Use a random generator for your next password.

Thank Chrome for the service rather than ignore it!

The problem with completely randomly generated passwords is you have to write them down somewhere. I use passwords nobody would guess, but I have a system to remember. As per your advice, I'll change my password (again). 

Look up bitwarden.   https://bitwarden.com/
There are others (such as LastPass, dashlane etc).  

This is the best advice anyone can offer you. I really don't understand anyone who doesn't use a password manager in this day and age. And write down your master password somewhere safe.

I always wonder, though - if other passwords can be somehow hacked, what's to stop the master password for a password manager being hacked in the same way? (Genuine question)

Anyone using a password manager should not do so without enabling 2 factor authentication. This will prevent logins from new devices even if the master password is compromised.

Chordeiles

Just had this as I logged into Hargreaves Lansdown.  My password is long, random-looking and (as far as I can remember) issued by HL themselves.  Happily HL now have the extra security of sending a code to my mobile.
My main security concern is now that Google are spying on my passwords to provide this service !  I certainly don't ask Chrome to store passwords for me.